Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe
Resource
win7-20231129-en
General
-
Target
2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe
-
Size
1.3MB
-
MD5
598be0f73441e6dcaf8013aa69d1fe23
-
SHA1
4d534f8e44a76b7254ed00364435361e75eb481d
-
SHA256
5816a3567cd7a94e38c78ff399ee75e7a00d7732a80e5926e82f15d9f11e8b03
-
SHA512
8114b6d541ccbad9a860b4a4490f707f37906aea97fb2cb2eda4a9dbda3a467a276a9970d84a1c44e04498bedb1ee13983a98cefdf5b4a99d4b23de0d44fd146
-
SSDEEP
12288:6tOw6BaLUVpyNj3C/Ei9OQSt6uk3zO61zOQJjN6atJ6bVgwtZJz:U6B+UMj3C/Uvw3B8atQVpZJ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2368 alg.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 540 fxssvc.exe 3564 elevation_service.exe 4672 elevation_service.exe 468 maintenanceservice.exe 1296 msdtc.exe 3896 OSE.EXE 4520 PerceptionSimulationService.exe 4924 perfhost.exe 2244 locator.exe 2748 SensorDataService.exe 2348 snmptrap.exe 4500 spectrum.exe 464 ssh-agent.exe 396 TieringEngineService.exe 2772 AgentService.exe 4660 vds.exe 4708 vssvc.exe 1672 wbengine.exe 208 WmiApSrv.exe 2672 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3416c8231ed82f9f.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000345e2b5e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b72c2cb6e8b2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000107fa2b7e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dbf7bb5e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032df1db6e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1bd9ab5e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5d4f6b6e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000652e0db6e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe Token: SeAuditPrivilege 540 fxssvc.exe Token: SeRestorePrivilege 396 TieringEngineService.exe Token: SeManageVolumePrivilege 396 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2772 AgentService.exe Token: SeBackupPrivilege 4708 vssvc.exe Token: SeRestorePrivilege 4708 vssvc.exe Token: SeAuditPrivilege 4708 vssvc.exe Token: SeBackupPrivilege 1672 wbengine.exe Token: SeRestorePrivilege 1672 wbengine.exe Token: SeSecurityPrivilege 1672 wbengine.exe Token: 33 2672 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2672 SearchIndexer.exe Token: SeDebugPrivilege 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe Token: SeDebugPrivilege 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe Token: SeDebugPrivilege 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe Token: SeDebugPrivilege 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe Token: SeDebugPrivilege 3548 2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe Token: SeDebugPrivilege 3444 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2552 2672 SearchIndexer.exe 110 PID 2672 wrote to memory of 2552 2672 SearchIndexer.exe 110 PID 2672 wrote to memory of 3812 2672 SearchIndexer.exe 111 PID 2672 wrote to memory of 3812 2672 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_598be0f73441e6dcaf8013aa69d1fe23_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4584
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:540
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3564
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4672
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:468
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1296
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3896
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4520
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4924
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2244
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2748
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2348
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4500
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4724
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:396
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4660
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:208
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2552
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD573469136dd6e1658263139f491f25f87
SHA189036f1d71fa5bc4cefffef18fe026403ff703c0
SHA256ca1311816b4ccbc4bf406ebb662d65f4aea19f0e176fee2e2b48f6cce9c1e75a
SHA512cba46b58c59913be905ce15176ab9ec919050dcddb2a465e70a2d2b1585f372a0263fbe0ab7895fd49327ffc7718a9e63cbf08f9ebad33d427c96d1657f4185d
-
Filesize
1.4MB
MD57db2a5c629267dde18093d076c9822ad
SHA14d8479616ad469834d2b75ba13b2e68f28de6d67
SHA256ec89d15076f234df862114a5c3674a5f797628b14d1e63060321d6ef7f2e1383
SHA51206400450c3610a8c32936038b53349a5c86c5ed1e7279f5eac971f9147a5e5ee74e0f40b193928db664d01dd8d864b2f4999292c0bdd61bb66adb983a865775c
-
Filesize
1.7MB
MD5c9ee9b04da814dc642b3056732271133
SHA17e83e6278da7b36f06e3ea60928d0e80e0c0458f
SHA2564fabe3b15428cf42009fb7fc7f0c03fe46583c0e865e577ce7ec3b11876d1568
SHA512e61e147cd7a673285e6c8d968aa36e562268e2f7b0630ab18dbfc9a1ca9857c1ad2c6344df58fd047893b585e364df3a2cab2e044277eccf154662bc14371a82
-
Filesize
1.5MB
MD5198e894d065ce56569033886b8b4f5e3
SHA12abe19bec9cabf81f88615e6ebbe39f3f5fa2e45
SHA2563e70b636b479950ee717d5c01ecc3cf47b2a500bd4198ee11d851e2e516c8e14
SHA5129d0f1263d5359b2f0afa032a41cde3aeb207e9bbd7566a52db52f03ab8309780600490d46c10d6a3b6f498130980b408050e58db03143a6efcbee816e7e21185
-
Filesize
1.2MB
MD5ad700cad38dcf7b40b0a4a22bb0493f4
SHA16f02535ef2b32a840bcec1c6a0786fe43b30e22a
SHA256905979d3a5b05956980f2c2f1de343e4b5e5c2d7dc4dbd422443ddc6d465c8f4
SHA512052c34f4ab48f3c84d20a441d8270395812a252e683b37b0bf2c174833ee7e643acd4955fb02c6fa1bff109d44bd3d63fc4e9dc3eb2338a9695eb38ab2062f9c
-
Filesize
1.2MB
MD5c87cbaffe412795138bd64cb7376522e
SHA1b0caa725f9fb2ae7c1633c041575839c067bd6f4
SHA256f84727153a5e2c96abaf77eb0555bf050ae6be9564960825c02708eda0983186
SHA512ac0bb81fd34a74fc6102fca0f13ad5937c31cd0f88ba9bdcd53f89a91e250181bc5c8ebbaaf9228995638672986cb15acf23f1c2324655d0661c670eaadf0753
-
Filesize
1.4MB
MD53ea8a67129f7035ab761d8070b998b54
SHA114d27bb33c75c3183d0312b001d6075e83d98219
SHA256ab442e51c8450172b23fcc66324c90e168c641fec48092f4ec4bb51ddca82795
SHA51258a757ea414ce888140c0e01379c750ca8044649b2447539a8e27ebd8bddfac5aceea067634049756ad15e0c03cddc12b2ec6dba8f3fde33ff43503896646294
-
Filesize
4.6MB
MD52e2dec7f247fe58b151a5644fe2d3bdc
SHA1325dc7dea99c1ffc5df75b4051fb299b9600ac3c
SHA256fb3a4e6a565013f3ed4c211386144442c37d14b5e446e46f7f6953af313d5982
SHA512fcd114a3510713c548cb611ea5960d950a99237e79152c22da81062210ba683f07a63a1d8e4358b727541ab83a219a862f3d76502b117db819b7202c3e5b4b77
-
Filesize
1.5MB
MD5150c5a2845139ceae4e961e5be9bc3f4
SHA1e97820c9692993b735995270315e8c9e4c59781b
SHA2568bf79173f84e8977c23c7680ab6195233b65355a3b2c0aa6e91ab5dad9766053
SHA512ff7de8e37a473b8e1ce08c69f5b60e76b40152097a10a48a790580a0095ff8dbba44d2c9b19cf3c9b645700547a2a90d10848ef3461d4ee734643c70e594eb47
-
Filesize
24.0MB
MD54e341d7cb11af9fb06274d3dd65ca404
SHA1b83eb2f9c48e6434c33d18c15f31a467a521271f
SHA256b7801c49c911266003a203acf41e0ab1c0e6594c63171a339c52a853decd6d17
SHA5126d3d07b766f8c39e3ff661889637317255fa9367cd878193f5b56aeaa87e34ffe5430f8471691ac0f3d97caf94b863402b6b8e169be3d2982b33a612231990bc
-
Filesize
2.7MB
MD5751c1adb0a645f2ef5eb1b84d56b547c
SHA131dd9554da666b5314fb2e3f6d9351b9aa4d26b4
SHA2564795f45bd0021d5efcaaf009c2b8211f998eba6e26665eb523a5e9a188990dba
SHA512aae4c391a0d2611ecda14f3b3d071ccf419dcbbd6d7e5587a5872eeffafee86f7d673443d333d38b4ca2a4de3a8d76de13108529feae201a8d2e00856a06f623
-
Filesize
1.1MB
MD5295459de72d35bfa1bea1d25d54990a2
SHA16b11b0c9fc36e816f479e395fd352de7e3b0c381
SHA256008cb69e3e90111399c91a1daf7e921dbd5a3f765309f66261a737a5304cca45
SHA5126f93baac9473b71879c8e7548299e726810c8a882f00b8f497b19c4b773629d0ccc37f18ad2118828ac134c0723a0451d48ee7fc0d1bdd92d82c794c92b23de8
-
Filesize
1.4MB
MD530dc923cbd51e47d0412968ed6cf59c5
SHA193a4b26fc957ca18a20efb62f5f3967effd5a594
SHA25615b1ee7a610f708751c6565b8ba7d447e6323591b24f2335f9bc20748d028896
SHA512a01ecb02e75af2196d851751ae619e9d452483b1f077008bafd88253d126eacc84c9eb865a5c475158a3a42eeaa04c125cbbaf8e7674afd5db80a0a4fe9866c7
-
Filesize
1.3MB
MD5792b1edf0af79e7756cc396b89afe6a8
SHA13779c90fe4680649b0050ffa546f284fdf3dd094
SHA256029b63a7542709d6e10dd53416394d4680a90f6641bd0abf61b15e6190b05e61
SHA512a17c343b79ffbb23d7530952d577377b066bc693e9a0b7273025e63cc12e5d0623a917adec2ba079282badec23153459fbedca09cabcc18ff9f24d97e80c17a8
-
Filesize
5.4MB
MD5ab4910e34ae6c62b798144cc588f6f79
SHA1d2f4d2d6bf64e537de3304a45992a0a56c99b70b
SHA2562c94ede0f1d6ae4da94150459e0102dfb0fc685e64326d2129d5c32c639334de
SHA51250dc375b830dc88d6df2b71a49db166c46aa840d3b0cc7f72bc5d5bb1c8e5ef3c2bf787524db70e27a79333eb5963ebeeef69b9da6a8261ec5ee92d360972040
-
Filesize
5.4MB
MD5a10dae099e511ab80c38dc0acf616240
SHA1b65e6c2d249f878a2e497a8383b825ef177eccca
SHA2564d37f6f5b26c54d840d52b3e5991529f63a82dbaf9ea738c2beb85628707366f
SHA512d924396a1b9f9a114e5ebad617ed8d36e72bad97a572ea14c1dc452840d65806e761dc222915a0c530939ab4174aa5cc7eda0dd4c1556e603a9e4a25362313ae
-
Filesize
2.0MB
MD5bee30543ca2050e12209b793524354b9
SHA1ed413f1690796401e4e8d33b2ef159cece22012f
SHA2563a9d93f79badcb745cf284f7d2e3c410c285fdfdf8bb9ad7c6a7b6655cd9b647
SHA512c9ec62fe03f059b758a9b7a40fb4052612c82ea61d25d830ef7e7ea3568fc1357b713bed092fc57efeb0d8d8fc38faa7ba36adda0d48531e426ad1bf32a25662
-
Filesize
2.2MB
MD516311ec86f13f090af630bafc134540e
SHA148d595ab058cf1c616b4d00dc8c2b15816fc70e0
SHA256d5264f58f2cd4b000acb947209e5c4bbc958e59504a6ff311231ddd292e2a9b5
SHA512c7e5c7c69f7455b3570c67162b97f177c0e985387b14882c91ef67406e461a67debe3c85f26f2c388c2903623fd63a4e4180ff3a3a116ce771a68992998e67d0
-
Filesize
1.8MB
MD5ff738bfd4111d50d5cdab637bd75c4fa
SHA1df1c67fbe01ff649016d4768390cecbb00aab1a9
SHA25605531eeb492f08e778fad4dfe8f299b6e9b499a1be3cd77985339c5fd58a74a3
SHA5121a7efd719533fa834865f3441548492ab3ce7739597c37d084261b767c673cc7dcf2162caea6160d3b4bf7028b146719f481d3fe25ca8a4ce21c5de59ef51db8
-
Filesize
1.7MB
MD5268d8191a2288620b8eadcdb74424ef5
SHA1ebef306527a0c05e66e8b4bd54d6be160f16563e
SHA256b545694cf5ac57c663b4e4592a805989f2a20a459813315691b2dc006900a9fd
SHA512fc2283a881c2388641f568ba364eb31fd339c75425935326c4209877b1f5f3199365f5b49cc51791e581b15bf3d74dad4169e07ac59988a30ca51f5a69afd5c6
-
Filesize
1.2MB
MD5e6ec83640b62aa355e70c59652c3730c
SHA1364c1c16563f18366d8eef95c2b824ad5ddb9cca
SHA256601cc63cc695d7e2f1d650d78435e638fe1558e082bd37a5209439415a033a49
SHA512a5e27814505321abfb798b385260dac645385dc5a73d96053be37747cee22a4d2a171d2f3eb65be050fb6c65560e9d2a1637678c8568cd9475596370d257b336
-
Filesize
1.2MB
MD52cdf708ded461a0081095d8f560d363c
SHA14e94fb284d24562708986398aca3c4062fa5a8c8
SHA2567e951306ded9a129c72cb08e81e695073fd27322851e56e3e2efa45b8855ddf6
SHA51238a77f4eccc5de32190a3f55123712b2802359c0b9de758d7e9f146a6b2007dc295aa602192e3f0f6bc1239e467accc72b5278b342dcefbe8be39ef5273a9a90
-
Filesize
1.2MB
MD5d9cb94ca7112543bf035b27c5b2f9252
SHA119dd2dd120c1c76566b1b7f32c9d43fe75fb6ea8
SHA25686396ce4246311114bc9ffcf4e46f090aae998ea409e2398e06075d3bfae3194
SHA512d246b11c95932f1d22b3e778e560b560f3a79d35bc5717f216d38f4dfbdff775e458b27fcfc3a6ff33d62123a1f2ff47f344b61806091bf68d7394933dec5249
-
Filesize
1.2MB
MD5768c1ef00813ab7f52133e6180b3b808
SHA1d1c64bcf6ed642880367215acc905e30c4116d9e
SHA256caa65f3511c95442aa407f6fed1fa5f00a2d746a9840a456750b221e05b6be33
SHA512ba259d7b51dde59dde00a5c0582e4ecdc1e809379d02114ef7a6fc65227f6ee54bee63d5e57c85f6a521bb660e908f44f24e7c769e0de36276b7c03373ffc793
-
Filesize
1.2MB
MD537675b0ea7579bf10d0b3cb8cd881da1
SHA1a2d8e796819c13e8af46dcc7f13795a4f551b7db
SHA25649fbd5c6aefa12071d20c13d5755fd915c7cab98d37de953b125a1110e67d2c6
SHA512e93dd52b21352c607ff53145b9fbf390a2f467aa2ac69db56e343bc7ca462c71de4f65bb10771eff5b50538b157d7ae7936f77ffe82a0bbf98c5e26316be6ef5
-
Filesize
1.2MB
MD5610e74602d0b90d4aa19a8c8da846c5d
SHA1dcef702ec3eb6084d8eb7ccf9378a4a1e54dfe98
SHA256b8b49ebb8add18636134b3ead26f9b76f1fca06c112546ca4bc192c402eb1fa7
SHA5125a82b50296e2e9fb9be2f2edfe112a576ba69b6956d2b307d6d3c7eed03a0eea11710ef08bcb7f97de2eaa83ad6dabac373ff09574427c745a69d1fb12eabb94
-
Filesize
1.2MB
MD55bc30df2b7297085c3258107da080b18
SHA185de5f1d0d69ecc2c042ad06f1cef39363d028fd
SHA2567a2a62da308f653d317f70db1c327f4a380a54b3b8d5a9894d349632d292ef0c
SHA5128f52585bc4b5ec899646a7282440d9e4225849b11c9f1751de2055b6b06969513ec6a2c96ad3c38a679675340e5d7695640cf757a8a9451dbb5aa94f99243990
-
Filesize
1.5MB
MD5919448b7040c66e36142871e04c72cc8
SHA138ca186487f0f2d9ae33d4fea8df7d72caceb069
SHA2569e63e9b7749c3fb88d2c3761761a2860b44261b5a4de34f8b699e663e18c81ac
SHA512f68a77c5b4b5dbd6cb09328c4ba1728dcbc23095c1a9307be45be511fa30f39c89a04feeefa5bb7cd1f0a48cc1fc7672d8c52954fc0632034f36ece42323f303
-
Filesize
1.2MB
MD57ec0d7aae5cd349d0b144a50c978965d
SHA159ddf27b84117618b102c8dda62c66719b141bd0
SHA256f4b38ad43f7397d69eaf60fdc366bf5a63c7c3c38d38637c2f5eade675d249bf
SHA512417a1b4e3a074f61f62df2bdb1f85b8f166eb12597c815d0ae59ea66c12b32a3a2acca367ebfe57b4d5fee45f1b1b5f63a065ca6bb9c1df86ec4303195d13f5a
-
Filesize
1.2MB
MD5dd951c5769a6f305fce3ec403c51db40
SHA1464ba03023ee5a7f1ecf09e95e6d3368c2907ac5
SHA256bd689e348530675f73b4e27a2eebd4a591a2fb047b3ad528611dad7a147799f7
SHA51250b6a00c4bd927f2b484bc33d82b8297b66f98a1bcfcc73d0039bf6a3de70efd9bbd53003ee4a98a3b9af0fe702a1658e659d7180b3d66aa622ad2cf023d5ba4
-
Filesize
1.3MB
MD50ba3cff844be28830109d774ad615886
SHA1f4bb42da570561cf4c53bd041532bada28f3bea3
SHA2560aa5ff4cde0c3c9c869eb1caad14b1632ddd7dbba351e9339bc90b6dc0159c3c
SHA5124d1454bd0e322e073ae05f5cfab4c3a1527170117a9d48612864574260d57833f35e2307ac34a21ec5680c7763c3e766a4a4588a924a598263a5807f0e1bf06a
-
Filesize
1.2MB
MD56d8b70723ed557286a0483f595da577d
SHA1926ce58d8a2602175b986e7487d648dd7af3c316
SHA256553c559dc57c375c363bb72505bf4709abc70c158ab276990f0e8c1ff8ae95c3
SHA51251a5740d6128d5e484050425c4a9ddad1b50a3c5fa021747ccc82aa2897ecc6be591a597a8b3f3cf89d758ce25bd874da7f9c2a91e47a185b9f90d025f2006ba
-
Filesize
1.2MB
MD5330bcceb8863533c4154b84da20c5b90
SHA1186a57ab5b18dd14ed8d16f0c949fc1aa3c6f3b6
SHA256e42832b27c7343dc7be63b5276972f4cd261976451b2edc707e45bd385711b44
SHA51253533827960280a6c3ef0dceb4ed775edeeeeec36aac9b9e69d3f5a2d3ff9c2c6de7dd4f2e2e195ddc32811494a9733ee5abba48d117780c1d7f682a9dbaa8f8
-
Filesize
1.3MB
MD592f13c3124bb716ad81bfe500a5409d8
SHA159e0b178b3be6ab9217e4f28aabf6d1040a97a29
SHA256528952d2a40dffb7d2e7bf9fd5f1805964744ab934f85a395359c3e4ae0a5411
SHA51213348291880e7e3065365ecede577110ea80978398ad2a7d653dff642797e13eac00cb384671abc2569af8fc8598ff83743b0fae16e554b0ca1b65cd1a3f6f91
-
Filesize
1.5MB
MD596077f18c1279e511b241a85dc3aba13
SHA1bed0fe32faa88536e830b2122ad02e455d1ffa15
SHA25658b004b1263bb6ff718d9f05756d2a5e4d7c7439c545dd8d6bd9358a97161ede
SHA512249a469c7129cbec5bf048e4eb8170615a031636a93921c905bc57929f8c5a0931b00cb4b167aa40e89ec3ee5278ad4e81a04af402136da6d4986971168cfed1
-
Filesize
1.6MB
MD5f945ad648d95dad32cf0c0d6c0928e98
SHA1b36066253390343dd24f3c901521162b2a34de7d
SHA2567ba5cc1ba8492bb9e1b9d550754d121cae90218a04ebc0542b93a6f55afbc40f
SHA5124e78500d917d2a14a060eb60f6c5854d39bda0217240665d4e4ba27cf978fa30c4e3b6fc84cda95d3854cf2fb50d9a97f525e0e2b715f5dce181f85ee946b721
-
Filesize
1.5MB
MD56885b52f195eec4fa3e4c74b24dc09d0
SHA1ef8ca0fa47c7154a642b0e8ed25c1125b115f87d
SHA256cab58305360d67e6540ff90e5faccc3a791c2a0d907d8848d75c5ef4c2bd1649
SHA5126196bdbd623cfd22000ea62a8e23d22335222e153d01bc680d0de1859889dc21d38964f28e0bb369752931206e1f3038ecce262c246fff536b7510986fedf1fd
-
Filesize
1.3MB
MD5c45185222a499b7ad5d2da8b4cc160c1
SHA18ab710fb1b4ebebc01fa3d08b3f679e452522c62
SHA2562687930990881f083d106564c5dcff317e8f891d8dda23f5abefd62393026fb4
SHA512f446500e1059ca5ce50f6a8762b7b2fe6575ac70948b2fa420aaf64c18b5d0a8f36acf9622577f19c732fb9e2a648f1a9d376d33641a0dda2dc6d70e02a3c9ee
-
Filesize
1.2MB
MD544ffecea0dc3d69383f007570287d651
SHA12e265eb8b504e0d6e6d617a171fd2ce4d1271c0e
SHA256fbe0d271593e8a046230783342497dbb872ed2e082d5e20eb7bc8d87b55c8cd8
SHA5129b9135cd4d5f83cbe0a46856c29952790d94752dcbe12c6d4c5bf1f90f8ad5821ffa132374dfb334c656a76e93665a2c83ae373b12a03b58d42706dbdda8bd0c
-
Filesize
1.7MB
MD53b32d66f142b88892c4d56bc6a004f42
SHA18dac6ab8142e79ac061304ca8aafd3f38fee039e
SHA2563e5e8de4d89ea6a6fdcf2d69ac924fdb7ee483e53de565386ff8aeb09341b888
SHA512949a7eaacd526ce19504cb3fb4bcb57baa8c27e4fa383b56aca0c5f4c99e642b1ee5746cd4a58932338dcbae37183994e8a1d9e6438426a265651b1851648ff2
-
Filesize
1.3MB
MD5eaa7b02960f9ceab29f754df1549bd8f
SHA1ec771095c7a7b410f448acfe306957af852c3cad
SHA256c7048d8b44dcd2dff43cba1c863befca0f33ed40c742bf863c46280d562ccdda
SHA5127267ad6e2341fceee7ca9a0bccfca22bc7621432c5b2c087a1c161231a517c89779de94cee12036fcc6c69aba072def883b475a5323769a325b226e2d3b68c07
-
Filesize
1.2MB
MD521b274cea3e30291cc96855fd2ff67df
SHA1ed4f90dff65aeefe0efa1339be675acd8f539ea4
SHA256a58aeb50f1fb58afd18d30537acf86b2e349b09a47ede9328bbbae0bb10035d0
SHA51206cfc274f5b577d3aef91718221967e68105fbc5b19ff694f8c7c912d0649bf6d2c8e6918e0a9ea12c79c596e497bbbad8cceda5c95da582e9e96affaa6dcce1
-
Filesize
1.2MB
MD596a64b6920ed10bf3bf724f1e495074f
SHA16a989e4b45ea4e5d1da0867ec3b6ecaff28b7497
SHA2566918a7a071bf6e988228305d4bc01f150b652bcf7b26593432845c32d8886c17
SHA51290544ce3722681aa306fede3e42f3eb746a303ceffb0b78dfa90baca62a10d03955645e084a831123b30a39b2edea3a7d83ee82a1b1f2fcf8bee52cd17c138a0
-
Filesize
1.5MB
MD54b6817e51b93ca295e2cd3f3d8856b4d
SHA1015d4bf793f938f7349d70af2c0fd6153cf463bf
SHA256d7080e92ff5218f2eea16676441db8792f3fa6b409f54504a1ff19cefcca56d5
SHA512027a9e04b95fa3d74bffe52b7ce35ee21c2d853962a6473a44be417f9e39951be36f72c0ef69c9dbb1eb89f74377e701f5a98eb5ca35ee2844677d720ac62b70
-
Filesize
1.3MB
MD569ad9cd6e264e725fee3a0ae85cb2184
SHA15da229eba91ae5c0648aa630b7c4ea83fbc7ab4d
SHA256cbe255a5572998056ddefd9da8462af6e8cf0483f8d4e9f42ec779739b524367
SHA51256581a49aa22a9853cc1170aa18ae58c5e4ce9511da7978e88ee01c8b62013131ae824491994ea5bcf7e42113b92fbd135fbfb7d47be0e58c9b412eee5492c69
-
Filesize
1.4MB
MD55188c3cef6fb48cea572214f7bfae4c7
SHA1772cd403d7ba6c04505aeea65df62667c1eb2a6d
SHA256423b5c85d0403844b210932a57caea4d6f17cfa89170723c5e2e78a3abe232ed
SHA512fc1f808b49752e8700e03e5ad2fcecf77471fff9dba93c5c64773e2c8c13a437970418d59b6af14dd7f5bb344edc3a05942ba610792667e6247026f59f04f69d
-
Filesize
1.8MB
MD567112eadfb5853fbd864ed1f956ec6d0
SHA1a8619d1022f23e4428d78bf6b96549a5706aef45
SHA256a90111109bc1f6ff8f102dcd025db20c838c0b4dd907d7ffb657cb73a421c6a4
SHA5124b6de656519b9fe246acbff416e5208cbdbbb277a611305976fc643836df8a8f9dd7be43bc77b922d42c0d3b77a8f3b8c0d995b7dbcf94ca98b84e40b9a803ec
-
Filesize
1.4MB
MD529dd6b18a0efc7737ee7d1cc91ec9410
SHA1a9b625b7c791b0bff8d8a2e6df886f7d4daa3787
SHA25680e2a529640c2417a3ae925fe940dbb09931d2f8ea76a55b2a9f6e9527490325
SHA512123099720f9647ee9de347431bade49620e0b36a589beaf2cdaf581980c6aff8e09ab3eba0f14731da7b8c5c4f40cb0d9998467c6cff67cf88943c5fb139a4cc
-
Filesize
1.5MB
MD59d3a8e7a6929c8a2753fd2db5ed814a5
SHA1a95c681ec18fcdca166b3daf54bc72929536ea19
SHA256cc7cb10a2acc0d464ab2b2693c91ed1e2a7f97a8dc7c528aa799b6ff6d87557d
SHA5121773a430eb09d9bbb04ff8d04246bea3f6e7c5685342d1edd3525583fddb06cb7b334e2d7725da9889254e69c78ee98ac9b5e3411738d7214c507e12aaaa2b6d
-
Filesize
2.0MB
MD58b7a158cc37241eeac8b022b793652f2
SHA181b2703ae8aeba13a3040f9f2a2927e38a94439e
SHA2561d0ee4523d29390f7f1481c8eabec0088984df1c141b88f1a7e117dfb8f34d83
SHA51281029c0e6c1dd0bb29076dafaa564bef4fdae95be1a3fcd201bfabbd2c3bf54329ee74d2f8c33b7d5f7c263ddc525c2e0cdcbad5288b590cdc5e0675a3e5e5a8
-
Filesize
1.3MB
MD56f759ee0d83f949b86d29b1a5b0f923b
SHA1dde745cd6ee34444b57b32d9250ec9a037a4056e
SHA256a666f47f8cf9ae66c55e951011c4aabba5b6d5102b61fab838059b58ce32aec1
SHA5128d2545517dca76c7de5b9eff5309c3fee11916f379b626d27b6e752264e17df0389b8b7e6276decd03087844c60db71bbcc04c8f4c4c4f8b0a6e36cad8976d5a
-
Filesize
1.3MB
MD50b70f2f85aa902b664aa30b0fc2bb39a
SHA11e1b561354508a3759bd2a377daed77876753bfc
SHA2564be51c3566ce1b664db0be6c13fcd224b5c25a0b28f362277ea7ebd5d1053f46
SHA512b45a6d6da463a15978ae09819036fdf0ca7d7e039359b921ff8b47aecf3ddff9c62739bc54ef058f4e795cdd01cab35dc24a06a094731ca0cd4718527385265e
-
Filesize
1.2MB
MD5917a02926382d1fa69c5d5845b735763
SHA1acaeef4d96dbc09398b7262db71ae65fb012a479
SHA2564ad34d83943ae05f0ed0c3a590ffef3ac2f63f341f2471596d626d9614189e08
SHA512c63df84020b2efeb7a3ec03b6185d79ad29c6f40364de5f55e86aec165f110f3c7c834a8804e0b8fa2023d393f731b7eee57941343994aaf1e3de84ddb2227d4
-
Filesize
1.3MB
MD506700d16ad5ef065c53021a7a8f1d3b5
SHA14e9c8c3bf6783907165f839f17e95633ec2ecb7c
SHA256007823f43ebcf30f7b7758bb27ae3e7b6503db23d5764266c6607fc8ba1dd289
SHA51221372056e5b188ab76234840b77d952a07279670811b4d7158993ee01f5ad3ec2cdb91dab4185e267373bdca843163f3bc9ad9f5068afc598c97081d4423aa9a
-
Filesize
1.4MB
MD5a4ac152d9259c217c442a779ba84ff1e
SHA1991436544317536b3444630966ce0f664ef00442
SHA256e7e25a397910b0bf31d44f722634fd9a4365409bee41c854eedf1937953172fc
SHA5122aade7866c779bb2acab0727d31cfab838e0c947a57459b747aa9ca6df01058b929b25283615d80e8e247a2a1ac11d1603906ab12f8fa27606bd180690bf30ee
-
Filesize
2.1MB
MD532954babe396c0023f98a3dd030d2017
SHA1c6eb44135572b97ca50b469a6536cb9a1f3e3d96
SHA2561333331c8f9f6051c048666ec5fca680f108e82ef349dcdf7cb11235f97e2c57
SHA512f977ff6855a6f3d84b5a568e161a3d741f061bb3b487377675a85c092ffeb9512d0d83cb657e9b93ecc787e75d267728d97d2d6416762780f2f696e551a82ca4
-
Filesize
1.3MB
MD5194aa7a9bdb59059bc4d57dff1dd2e19
SHA1214a27825837764435113b9e4f145202e67eecb5
SHA25651b990a2b27d6711b612858a571ae85fa38dc6ab1230c2d8a3fdca32f371385c
SHA512539a00151ea45049b7aff5e1426799f4b1930dfd135e3ac4446dbd14e4138ba971f00a5310ac3bac9910f0a08638913d0e40f6fec4ffff7e1ce72845459d50a4
-
Filesize
1.5MB
MD58efccb1bc8ba3f0e91c6c6393f2e2f74
SHA1234a0141c0d7bfbcca9fac08b4420d0926a30dd1
SHA2562eb99bdd0ee66e0d72282b39c26c56b7afb82fa4ee855af00c72d98562a4d991
SHA5121bdacf6fb16ed6ba34c13800275b49b41ec1c4d64d551bb62807571adfb68b2c7c79999786ae599d5121d3ad1d311c4760b3647dd1890dafdd1de7e8ddd02892
-
Filesize
1.2MB
MD582e994f55769a9f3b61cded761e0cba3
SHA14b16cb819dbe55a845f0d8de21d87394d08158ca
SHA256ce49d8b6ae11696722905de250b43a2e6f6061928cd91a81be77a53bffb3aef6
SHA5125a937f6704dcbc877312aba5c283a08615009eee0725c13fc2add4b9a62c60179b1c0ede474332c94d9daea4861c55a52ee7325c65502fee45e372ab7fd90c87